Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: header encoder filter #3231

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
+286 −0
Open

feature: header encoder filter #3231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
47bb9f9
feature: header encoder filter
szuecs Sep 18, 2024
e88489e
add all encodings from https://pkg.go.dev/golang.org/x/text@v0.18.0/e…
szuecs Sep 18, 2024
e6840ef
add test cases, request header test fails
szuecs Sep 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions filters/builtin/builtin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,8 @@ func Filters() []filters.Spec {
NewSetPath(),
NewModRequestHeader(),
NewModResponseHeader(),
NewEncodeRequestHeader(),
NewEncodeResponseHeader(),
NewDropQuery(),
NewSetQuery(),
NewHealthCheck(),
Expand Down
167 changes: 167 additions & 0 deletions filters/builtin/header_encode.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
package builtin

import (
log "github.com/sirupsen/logrus"
"github.com/zalando/skipper/filters"
xencoding "golang.org/x/text/encoding"
"golang.org/x/text/encoding/charmap"
)

type encodeTyp int

const (
requestEncoder encodeTyp = iota + 1
responseEncoder
)

type encodeHeaderSpec struct {
typ encodeTyp
}

type encodeHeader struct {
typ encodeTyp
header string
encoder *xencoding.Encoder
}

func NewEncodeRequestHeader() *encodeHeaderSpec {
return &encodeHeaderSpec{
typ: requestEncoder,
}
}
func NewEncodeResponseHeader() *encodeHeaderSpec {
return &encodeHeaderSpec{
typ: responseEncoder,
}
}

func (spec *encodeHeaderSpec) Name() string {
switch spec.typ {
case requestEncoder:
return filters.EncodeRequestHeaderName
case responseEncoder:
return filters.EncodeResponseHeaderName
}
return "unknown"
}

func (spec *encodeHeaderSpec) CreateFilter(args []interface{}) (filters.Filter, error) {
if len(args) != 2 {
return nil, filters.ErrInvalidFilterParameters
}

header, ok := args[0].(string)
if !ok {
return nil, filters.ErrInvalidFilterParameters
}
to, ok := args[1].(string)
if !ok {
return nil, filters.ErrInvalidFilterParameters
}

var (
encoder *xencoding.Encoder
)

switch to {
case "ISO8859_1":
encoder = charmap.ISO8859_1.NewEncoder()
case "ISO8859_10":
encoder = charmap.ISO8859_10.NewEncoder()
case "ISO8859_13":
encoder = charmap.ISO8859_13.NewEncoder()
case "ISO8859_14":
encoder = charmap.ISO8859_14.NewEncoder()
case "ISO8859_15":
encoder = charmap.ISO8859_15.NewEncoder()
case "ISO8859_16":
encoder = charmap.ISO8859_16.NewEncoder()
case "ISO8859_2":
encoder = charmap.ISO8859_2.NewEncoder()
case "ISO8859_3":
encoder = charmap.ISO8859_3.NewEncoder()
case "ISO8859_4":
encoder = charmap.ISO8859_4.NewEncoder()
case "ISO8859_5":
encoder = charmap.ISO8859_5.NewEncoder()
case "ISO8859_6":
encoder = charmap.ISO8859_6.NewEncoder()
case "ISO8859_7":
encoder = charmap.ISO8859_7.NewEncoder()
case "ISO8859_8":
encoder = charmap.ISO8859_8.NewEncoder()
case "ISO8859_9":
encoder = charmap.ISO8859_9.NewEncoder()
case "KOI8R":
encoder = charmap.KOI8R.NewEncoder()
case "KOI8U":
encoder = charmap.KOI8U.NewEncoder()
case "Macintosh":
encoder = charmap.Macintosh.NewEncoder()
case "MacintoshCyrillic":
encoder = charmap.MacintoshCyrillic.NewEncoder()
case "Windows1250":
encoder = charmap.Windows1250.NewEncoder()
case "Windows1251":
encoder = charmap.Windows1251.NewEncoder()
case "Windows1252":
encoder = charmap.Windows1252.NewEncoder()
case "Windows1253":
encoder = charmap.Windows1253.NewEncoder()
case "Windows1254":
encoder = charmap.Windows1254.NewEncoder()
case "Windows1255":
encoder = charmap.Windows1255.NewEncoder()
case "Windows1256":
encoder = charmap.Windows1256.NewEncoder()
case "Windows1257":
encoder = charmap.Windows1257.NewEncoder()
case "Windows1258":
encoder = charmap.Windows1258.NewEncoder()
case "Windows874":
encoder = charmap.Windows874.NewEncoder()
default:
log.Errorf("Unknown encoder for %q", to)
return nil, filters.ErrInvalidFilterParameters
}

return &encodeHeader{
typ: spec.typ,
header: header,
encoder: encoder,
}, nil
}

func (f *encodeHeader) Request(ctx filters.FilterContext) {
if f.typ != requestEncoder {
return
}

s := ctx.Request().Header.Get(f.header)
if s == "" {
return
}

sNew, err := f.encoder.String(s)
if err != nil {
log.Errorf("Failed to encode %q: %v", s, err)

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

Sensitive data returned by HTTP request headers
Loading
flows to a logging call.

Copilot Autofix AI 7 days ago

To fix the problem, we should avoid logging the sensitive information directly. Instead, we can log a generic message indicating that an error occurred without including the sensitive data. This approach maintains the functionality of logging errors while protecting potentially sensitive information.

  • Modify the log statement on line 147 to remove the sensitive data (s).
  • Log a generic error message that does not include the sensitive data.
filters/builtin/header_encode.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/filters/builtin/header_encode.go b/filters/builtin/header_encode.go
--- a/filters/builtin/header_encode.go
+++ b/filters/builtin/header_encode.go
@@ -146,3 +146,3 @@
 	if err != nil {
-		log.Errorf("Failed to encode %q: %v", s, err)
+		log.Errorf("Failed to encode header value: %v", err)
 	}
EOF
@@ -146,3 +146,3 @@
if err != nil {
log.Errorf("Failed to encode %q: %v", s, err)
log.Errorf("Failed to encode header value: %v", err)
}
Copilot is powered by AI and may make mistakes. Always verify output.
}
ctx.Request().Header.Set(f.header, sNew)
}

func (f *encodeHeader) Response(ctx filters.FilterContext) {
if f.typ != responseEncoder {
return
}
s := ctx.Response().Header.Get(f.header)
if s == "" {
return
}

sNew, err := f.encoder.String(s)
if err != nil {
log.Errorf("Failed to encode %q: %v", s, err)
}
ctx.Response().Header.Set(f.header, sNew)

}
115 changes: 115 additions & 0 deletions filters/builtin/header_encode_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
package builtin

import (
"fmt"
"net/http"
"net/http/httptest"
"testing"

"github.com/zalando/skipper/eskip"
"github.com/zalando/skipper/filters"
"github.com/zalando/skipper/filters/diag"
"github.com/zalando/skipper/proxy/proxytest"
"github.com/zalando/skipper/routing"
"github.com/zalando/skipper/routing/testdataclient"
)

func Test_encodeRequestHeader(t *testing.T) {
tests := []struct {
name string
doc string
data string
want []byte
}{
{
name: "test request header Windows1252",
doc: `r: * -> encodeRequestHeader("X-Test", "Windows1252") -> logHeader("request")-> "%s";`,
data: `für`,
want: []byte{102, 252, 114}, //`f\xfcr`,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Result", r.Header.Get("Result"))
w.WriteHeader(http.StatusOK)
}))
defer backend.Close()

r := eskip.MustParse(fmt.Sprintf(tt.doc, backend.URL))
fr := make(filters.Registry)
fr.Register(NewEncodeRequestHeader())
fr.Register(diag.NewLogHeader())

dc := testdataclient.New(r)
defer dc.Close()

proxy := proxytest.WithRoutingOptions(fr, routing.Options{
DataClients: []routing.DataClient{dc},
})
defer proxy.Close()

req, err := http.NewRequest("GET", proxy.URL, nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req.Header.Set("Result", tt.data)

rsp, err := proxy.Client().Do(req)
if err != nil {
t.Fatalf("Failed to do request: %v", err)
}
defer rsp.Body.Close()
if result := rsp.Header.Get("Result"); result != string(tt.want) {
t.Fatalf("Failed to get %q, got %q", tt.want, result)
}
})
}
}

func Test_encodeResponseHeader(t *testing.T) {
tests := []struct {
name string
doc string
data string
want []byte
}{
{
name: "test response header Windows1252",
doc: `r: * -> encodeResponseHeader("Result", "Windows1252") -> setResponseHeader("Result", "%s") -> <shunt>;`,
data: `für`,
want: []byte{102, 252, 114}, //`f\xfcr`,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
r := eskip.MustParse(fmt.Sprintf(tt.doc, tt.data))
fr := make(filters.Registry)
fr.Register(NewEncodeResponseHeader())
fr.Register(NewSetResponseHeader())

dc := testdataclient.New(r)
defer dc.Close()

proxy := proxytest.WithRoutingOptions(fr, routing.Options{
DataClients: []routing.DataClient{dc},
})
defer proxy.Close()

req, err := http.NewRequest("GET", proxy.URL, nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}

rsp, err := proxy.Client().Do(req)
if err != nil {
t.Fatalf("Failed to do request: %v", err)
}
defer rsp.Body.Close()
if result := rsp.Header.Get("Result"); result != string(tt.want) {
t.Fatalf("Failed to get %q, got %q", tt.want, result)
}

})
}
}
2 changes: 2 additions & 0 deletions filters/filters.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,8 @@ const (
AppendContextResponseHeaderName = "appendContextResponseHeader"
CopyRequestHeaderName = "copyRequestHeader"
CopyResponseHeaderName = "copyResponseHeader"
EncodeRequestHeaderName = "encodeRequestHeader"
EncodeResponseHeaderName = "encodeResponseHeader"
ModPathName = "modPath"
SetPathName = "setPath"
RedirectToName = "redirectTo"
Expand Down
Loading